[tor-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 16 13:57:34 UTC 2016
#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
Reporter: mancha | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by arma):
Sebastian points out, I think correctly, that right now there is an https-
everywhere update key somewhere in the world that is trusted by Tor
Browser users (i.e. it can give them a bad update if it wants). GeKo
points out that this issue is #10394.
Separately, there is a site called addons.m.o which is trusted by Tor
Browser users, because it can give them a bad noscript (either by having
users accidentally go to a fake addons.m.o, or by having users go to the
real one and it gives them a bad update).
My 'option 1' above leaves both of these issues in place.
My 'option 2' resolves both of them, assuming we do it for both noscript
and https-everywhere.
Whereas my 'option 3' replaces the addons.m.o issue with a new "there's a
noscript update key somewhere in the world that is trusted" issue.
This logic makes me like 'option 2' even more.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list